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Abstract. The liidden sliift problem is a natural place to look for new 
separations between classical and quantum models of computation. One 
advantage of this problem is its flexibility, since it can be defined for a 
whole range of functions and a whole range of underlying groups. In a 
way, this distinguishes it from the hidden subgroup problem where more 
stringent requirements about the existence of a periodic subgroup have 
to be made. And yet, the hidden shift problem proves to be rich enough 
to capture interesting features of problems of algebraic, geometric, and 
combinatorial flavor. We present a quantum algorithm to identify the 
hidden shift for any Boolean function. Using Fourier analysis for Boolean 
functions we relate the time and query complexity of the algorithm to 
an intrinsic property of the function, namely its minimum influence. We 
show that for randomly chosen functions the time complexity of the algo- 
rithm is polynomial. Based on this we show an average case exponential 
separation between classical and quantum time complexity. A perhaps 
interesting aspect of this work is that, while the extremal case of the 
Boolean hidden shift problem over so-called bent functions can be re- 
duced to a hidden subgroup problem over an abelian group, the more 
general case studied here does not seem to allow such a reduction. 



1 Introduction 

Hidden shift problems have been studied in quantum computing as they provide 
a framework that can give rise to new quantum algorithms. The hidden shift 
problem was first introduced and studied in a paper by van Dam, Hallgren and 
Ip [vDHIOG] and is defined as follows. We are given two functions /, g that map 
a finite group G to some set with the additional promise that there exists an 
element s G G, the so-called shift, such that for all x it holds that g{x) — f{x+s). 
The task is to find s. Here the group G is additivcly denoted, but the problem can 
be defined for non-abelian groups as well. The great ficxibility in the definition 
allows to capture interesting problems ranging from algebraic problems such as 
the shifted Legcndrc symbol [vDHI06], over geometric problems such as finding 
the center of shifted spheres [CSV07, Liu09] and shifted lattices [Reg04], to 
combinatorial problems such as graph isomorphism [CW07]. 
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Notable here is a well-known connection between the hidden subgroup prob- 
lem for the dihedral group, a notoriously difficult instance which itself has con- 
nections to lattice problems and average case subset sum [Reg04] and a hidden 
shift problem over the cyclic group Z„ where the functions / and g are injective 
[Kup05, MRRS07, CvD07]. It is known [FIM+03, Kup05] that the hidden shift 
problem for injective functions f,g:G^S that map from an abelian G to 
a set S is equivalent to hidden subgroup problem over the semi-direct product 
between G and Z2, where the action of Z2 on G is given by the inverse. We 
would like to point out that the functions studied here are Boolean functions 
(i.e., G = Zj) and therefore far from being injective. Even turning them into 
injective quantum functions, as is possible for bent functions [RotlO], seems not 
to be obvious in this case. Another recent example of a non-abelian hidden shift 
problem arises in a reduction used to argue that the McEliece cryptosystems 
withstands certain types of quantum attacks [DMRIO]. 

In this paper we confine ourselves to the abelian case and in particular to the 
case where G = Zj is the Boolean hypercube. The resulting hidden shift problem 
for Boolean functions, i.e., functions that take n bits as inputs and output just 1 
bit, at first glance looks rather innocent. However, to our knowledge, the Boolean 
case was previously only addressed for two extreme cases: a) functions which 
mark precisely one element and b) functions which are maximally apart from 
any affine Boolean function (so-called bent functions). In case a), the problem 
of finding the shift is the same as unstructured search, so that the hidden shift 
can be found by Grover's algorithm [Gro96] and the query complexity is known 
to be tight and is given by 0{V2^). 

In case b) the hidden shift can be discovered in one query using an algorithm 
that was found by one of the co-authors [RotlO], provided that the dual of the 
function can be computed efficiently, where the definition of the dual is via the 
Fourier spectrum of the function which in this case can be shown to be flat in 
absolute value. If no efficient implementation of the dual is known then still a 
quantum algorithm exists that can identify the hidden shift in 0{n) queries. 
The present paper can be thought of as a generalization of this latter algorithm 
to the case of Boolean functions other than those having a flat spectrum. This 
is motivated by the quite natural question of what happens when the extremal 
conditions leading to the family of bent functions are relaxed. In this paper we 
address the question of whether there is a broader class of functions for which 
hidden shifts of a function can be identified. 

The first obvious step in direction of a generalization is actually a roadblock: 
Grover's search problem [Gro96] can also be cast as a hidden shift problem. In 
this case the corresponding class of Boolean functions are the delta functions, 
i.e., f,g : {0, 1}" — >■ {0, 1}, where g{x) = f{x + s) and f{x) is the function that 
takes value 1 on input (0, . . . , 0) and elsewhere and g{x) is the function that 
takes the value 1 on input s and elsewhere. Grover's algorithm [Gro96] allows 
to find s in time 0(\/2") on a quantum computer (which is also the fastest 
possible [BV97]). 



Thus, the following situation emerges for the quantum and the classical query 
complexities of these two extremal cases: for bent functions the classical query 
complexity^ is fl{y/2^) and the quantum query complexity^ is 0(n). For delta 
functions the classical query complexity is 6?(2") and the quantum query com- 
plexity is 0{y/2^). 

For a general Boolean function the hidden shift problem can be seen as lying 
somewhere between these two extreme cases. This is somewhat similar to how the 
so-called weighing matrix problem [vD08] interpolates between the Bernstein- 
Vazirani problem [BV97] and Grover search, and how the generalized hidden shift 
problem [CvD07] interpolates between the abclian and dihedral hidden subgroup 
problems. However, apart from these two extremes, not much is known about 
the query complexity of the hidden shift problem for general Boolean functions. 

The main goal of this work was to understand the space between these two 
extremes. We show that there is a natural way to "interpolate" between them 
and to give an algorithm for each Boolean function whose query complexity 
depends only on properties of the Fourier spectrum of that function. 

Prior work. As far as hidden shifts of Boolean functions are concerned, besides 
the mentioned papers about the bent case and the case of search, very little was 
known. The main technique previously used to tackle hidden shift problem was 
by computing a suitable convolution. However, in order to maintain unitarity, 
much of target function's features that we want to compute the convolution with 
had to be "sacrificed" by requiring the function to become diagonal unitary, 
leading to a renormalization of the diagonal elements, an issue perhaps first 
pointed out by [CM04]. No such renormalization is necessary if the spectrum 
is already flat which corresponds to the case of the Legendre symbol [vDHI06] 
(with the exception of one special value at 0) and the case of bent functions 
which was considered in [Rot 10]. 

Our results. We introduce a quantum algorithm that allows us to sample from 
vectors that are perpendicular to the hidden shift v according to a distribution 
that is related to the Fourier spectrum of the given Boolean function /. If / is 
bent, then this distribution is uniform which in turn leads to a unique charac- 
terization of V from 0{n) queries via a system of linear equations. For general 
/ more queries might be necessary and intuitively the more concentrated the 
Fourier spectrum of / is, the more queries have to be made: in the extreme case 
of a (±1 valued) delta function / the spectrum is extremely imbalanced and 
concentrated almost entirely on the zero Fourier coefficient which corresponds 

^ Note that the query complexity depends crucially on how the functions / and g 
can be accessed: the stated bounds hold for the case where / and g are given as 
black-boxes. If / is a known bent function, then it is easy to see that the classical 
query complexity becomes 0(n). 

^ A further improvement is possible in case the so-called dual bent function / is ac- 
cessible via another black-box: in this case the quantum query complexity becomes 
constant [RotlO]. 



to the case of unstructured search for which our algorithm offers no advantage 
over Grover's algorithm. For general / we give an upper bound on the number 
of queries in terms of the influence 7/ of the function /, where the influence is 
defined as 7/ = min^(Pra; [f{x) ^ f{x + v)]). 

From a simple application of the Chernoff bound it follows that it is extremely 
unlikely that a randomly chosen Boolean function will give rise to a hard instance 
for our quantum algorithm. This in turn gives rise to our main result of the paper: 

Theorem 2 (Average case exponential separation). Let {Of,Og) be an 
instance of a Boolean hidden shift problem (BHSP) where g{x) — f(x + v) and f 
and V are chosen uniformly at random. Then there exists a quantum algorithm 
which finds v with bounded error using 0{n) queries and in 0(poly(n)) time 
whereas any classical algorithm needs J7(2"/^) queries to achieve the same task. 

This result can be interpreted as an exponential quantum-classical separation 
for the time and query complexity of an average case problem. Finally, we would 
like to comment on the relationship between the problem considered in this 
paper and the abelian hidden subgroup problem. It is interesting to note, yet 
not particularly difficult to see, that the case of a hidden shift problem for bent 
functions can be reduced to that of an abelian hidden subgroup problem. The 
hiding function in this case is a quantum function, i.e., it takes values in the 
set of quantum sets rather than just basis states. For the case of a non-bent 
function, including the cases of random functions considered here, the same 
direct correspondence to the hidden subgroup problem over an abelian group 
no longer exists, i. e., even though there is no obvious group/subgroup structure 
present in the function /, the algorithm can still identify the hidden shift v. 

2 Preliminaries 

Definition 1 (Boolean Hidden Shift Problem). Let n > 1 and let f,g : 

— > Z2 be two Boolean functions such that the following conditions hold: 

— if for some t G Z2 it holds that f{x) = f{x + t) then t = 0; 

— for some s G Z2 it holds that g{x) = /(x + s). 

If f and g are given by two oracles Of and Og, we say that the pair {Of,Og) 
defines an instance of a hidden shift problem (BHSP) for the function f . The 
value s G ^2 that satisfies g{x) = f{x + s) is the solution of the given instance 
of the BHSP. 

We also consider the {-1-1, —1}- valued function F corresponding to the func- 
tion / and view it as a function over M, that is, 

FtZ^^RiXK^ (-l)^(^'. (1) 

The arguments of these functions are assumed to belong to Z2 , and their inner 
product is defined accordingly, i.e., {u,v) — ' ^i- We also denote by 



Xu{- ■ ■) the elements of the standard Fourier basis corresponding to , that is, 
Xuiv) = for every u,v e Z^. 

We will see that the complexity of the BHSP depends on the notion of influ- 
ence. 

Definition 2 (Influence). Fo?' any Boolean function f over andn-bit string 
V, we call "ff^y ~ Pyx [f{x) ^ f{x + v)] the influence of v over f , and 7^ = 
min„7^^„ the minimum influence over f. 

The following lemma relates the influence over a Boolean function / to the 
Fourier spectrum of its {+1, — l}-valued analog F, see also [GOS+09, Fact 11, 
p. 14]. 

^ 2 

Lemma 1. 7/,,, = Eu:{i,,u)=i ^(") ■ 

We give a proof of this lemma in Appendix A for completeness. 



3 Our algorithm 

Theorem 1. There exists a quantum algorithm that solves an instance of BHSP 
defined over the function f using expected 0{n/ ^JYf) oracle queries. The algo- 
rithm takes expected time polynomial in the number of queries. 
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Fig. 1. Quantum circuit for the Sampling Subroutine. 



Proof. The algorithm relies on the Sampling Subroutine described in Fig. 1, 
where H denotes the standard Hadamard gate, Z is a phase gate acting on one 
qubit as Z : \b) 1-^ (— 1)''|6), and O/ is the oracle for / acting on n + 1 qubits as 
Of : \b)\x) I— > |6® f{x))\x) (similarly for Og). The algorithm works as follows: 



Quantum algorithm 




1. Set i = 1 




2. Run the Sampling Subroutine. Denote by {bi,Ui) the output of the mea- 


surement. 




3. If Span{u;j|fc £ [i]} ^ Zj, increment i i+1 and go back to step 2. Other- 


wise set t = i and continue. 




4. Output "s" , where s is the unique solution of 


1 


' {ui,s) = 61; 




^{ut,s) = bf. 



Obviously, this algorithm makes 0(t) quantum queries to the oracles and its 
complexity is polynomial in t + n. The quantum state before the measurement 
is 



Its measurement therefore always returns a pair m) G {0, 1} x {0, 1}" where 
{ui,s) = bj. Moreover, since by construction Span{uj;|j € [t]} = Zj, the system 
of equations in step 4 accepts a unique solution that can only be the hidden shift 
s, thus the final answer of our algorithm is always correct. 

We now show that the algorithm terminates in bounded expected time. We 
need to prove that repeatedly sampling using the procedure in step 2 yields n 
linearly independent vectors Ui , therefore spanning Z2 , after a bounded expected 
number of trials t. Let (_B, U) be a pair of random variables describing the 
measurement outcomes for the Sampling Subroutine, and denote the 
marginal distribution of U. From the right-hand side of (2) it is clear that 



Note that this distribution does not depend on g. 

Let di be the dimension of Span{Mfe|fc e [i]}. By construction, we have di = 
l,dt = n and d^+i equals either di or di + 1. Let us bound the probability that 
c?i+i = di + l, or, equivalently, that u^+i ^ Span{wfe|fc e [i]}. This probability can 
only decrease as di increases, so let us consider the worst case where di ~ n—l. In 
that case, there exists some v £ \{0} such that Span{w;;|fc e [i]} is exactly the 
subspace orthogonal to v. Then, the probability that Ui+i distributed according 
to does not lie in this subspace (and hence di+i ^ di + 1) is given by 



which follows from Lemma 1. Therefore, for any i, the probability that d^+i = 
c?i + 1 is at least 7/ = min„7/_i,, and the expected number of trials before it 
happens is at most I/7/. Since di must be incremented n times, the expected 
total number of trials t is at most n/'yf. 

Using quantum amplitude amplification, we can obtain a quadratic improve- 
ment over this expected running time. Indeed, instead of repeating the Sam- 
pling Subroutine 0(1/7/) times until we obtain a sample u not in the subspace 
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spanned by the previous samples, we can use quantum amplitude amplification, 
which achieves the same goal using only 0(1/^^/7/) applications of the quantum 
circuit in the Sampling Subroutine (see [BHMT02, Theorem 3]). We therefore 
obtain a quantum algorithm that solves the problem with success probability 1 
and an expected number of queries 0{n/ ^J^). □ 

In case a lower bound on 7/ is known, we have the following corollary: 

Corollary 1. There exists a quantum algorithm that solves an instance of BHSP 
defined over the function f , with the promise that "fj > 6, with success probability 
at least l~s and using at most 0{nlog(l / s) / VS) oracle queries. The algorithm 
takes expected time polynomial in the number of queries. 

Proof. This immediately follows from Markov's inequality, since it implies that 
the algorithm in Theorem 1 will still succeed with constant probability even 
when we stop after a time 0{n/y/jf) if it has not succeeded so far. □ 



4 Classical complexity of random instances of BHSP 

In this section we show that a uniformly chosen instance of BHSP is exponentially- 
hard classically with high probability. 

Lemma 2. A classical algorithm solving a uniformly random instance of BHSP 
with probability at least 1/2 makes ]7(2"/^) oracle queries. 

Proof. Consider a classical algorithm ^cia that makes tcu queries to the oracles 
Af and Ag and with probability at least 1/2 returns the unique s satisfying 
g{x) = f{x + s) (cf. Definition 1). For notational convenience we assume that 
^cia only makes duplicated queries {f{x),g{x)). This can at most double the 
total number of oracle calls. 

Consider the uniform distribution of / : — >■ Z2 and s e Zj, and let an 
input instance of BHSP be chosen accordingly. Let {Xi , . . . , Xt^^^ ) be random 
variables representing the queries made by ^cia- Then by the correctness as- 
sumption, the values f{Xi),g{Xi), . . . , f{Xt^iJ,g{Xt^iJ can be used to predict 
s with probability at least 1/2. 

First we observe that if, after k queries, it holds that Xi — Xj ^ s for every 
i,j e [fc] , then even conditionally on the values of / {Xi ) , g {Xi ),..., f{Xk), g {Xk ) 
every s ^ {Xi — Xj\i,j S [k]} has exactly the same probability to occur. More 
precisely, if Sk = {Xi — Xj\i,j G [k]} and Ek is the event that s e St, we have 

P^[-^ = ^"|-^^]=2^^2^ 

for any sq ^ Sk and < k < tela- In other words, modulo "s ^ Sk^ the actual 
values of / and g at points {Xi\i € [k]} provide no additional information about 
s, and the best the algorithm can do in that case is a random guess, which 
succeeds with probability at most 1/(2" ~ k"^). 



Now let us analyze the probability that St^i^ ~ {Xi — Xj\i,j £ [icia]} contains 
s, that is, Pr [i^t^i^]. Since |5'a_,+i| — |5'a_,| < k, we have by the union bound 

Consequently, 

cla cla 

Finally, we can bound the probability that the algorithm succeeds after tela oracle 
queries as 

Pr [Ala succeeds] = Pr [Aia succeeds |i?t^i^] • Pr [St^iJ 

+ Pr [Ala succceds[-£;t^iJ ' Pr I^^^tda] 

< Pr [Et^J + Pr [Ala succeeds[-£;t^,J < + ^ , 

^ *cla 

which is larger than 1/2 only if tela G ^ (2"^^), as required. □ 

We arc now ready to state our main theorem which is an exponential quantum- 
classical separation for an average case problem. 

Theorem 2 (Average case exponential separation). Let {Of,Og) be an 
instance of a Boolean hidden shift problem (BHSP) where g{x) — f{x + v) and f 
and V are chosen uniformly at random. Then there exists a quantum algorithm 
which finds v with bounded error using 0{n) queries and in 0(poly(n)) time 
whereas any classical algorithm needs i7(2"/^) queries to achieve the same task. 

Proof. For a fixed v and randomly chosen /, consider the 2"~^ mutually in- 
dependent events "f{x) = f{x + v)" . By definition of 7/^1, and the Chernoff 
bound, the probability that < 1/3 is at most e^^^'-^ \ Since this is double- 
exponentially small in n we obtain from an application of the union bound to the 
2" possible values of v that if / : — >■ Z2 is chosen uniformly at random then 
Pr/[7/ < 1/3] G e~^^^"). We now apply Corollary 1 for constant 7/ to obtain 
a quantum algorithm that uses at most 0{n) queries and outputs the correct 
hidden shift v with constant probability of success (i.e., e is chosen to be con- 
stant). Combining this with the exponential lower bound from Lemma 2 implies 
that there is an exponential gap between the classical and quantum complexity 
of the BHSP defined over a random Boolean function. □ 

5 Discussion and open problems 



Wc presented a quantum algorithm for the Boolean hidden shift problem that is 
based on sampling from the space of vectors that are orthogonal to the hidden 



shift. It should be noted that our algorithm reduces to one of the two algorithms 
given in [RotlO] in case the function is a bent function. We related the running 
time and the query complexity of the algorithm to the minimum influence of the 
function and showed that for random functions these complexities are polyno- 
mial. This leads to an average case exponential separation between the classical 
and quantum time complexity for Boolean functions. An interesting question 
is whether these methods can be generalized and adapted for the case of non- 
Boolean functions also. Furthermore, we conjecture that the complexity of our 
quantum algorithm is optimal up to polynomial factors for any function. 
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A Proof of Lemma 1 



Lemma 1 7/,„ ^ Eu:{v,u)=i 



dcf 



Proof. Let us consider the following function Fy(x) = F{x) — F{x + v). Its 
Fourier transform reads 



F,{u) = E [Fix) ■ Xu{x) - F{x + v) ■ Xuix)] = (1 - x«W) ' ^(w) 

X 

Therefore, we have 

^ 2 
F,{u) 



u: (v,u) — l 



' = lE|(l-Xn(-))-n-)' = jE 



1 

4 X 



iF^ix) 



Pr [F{x) ^ F{x + v)]=-/f^,, 



where in the second line we have used Parseval's identity. 



□ 



